personal-data-harvester
Fail
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the user to establish persistent background execution for the data harvesting pipeline, which maintains access across sessions. Evidence includes:
- Instructions to add daily recurring tasks to the system
crontab(0 3 * * * cd ~/.personal-harvest && python3 ...). - A template for creating a macOS
launchdservice agent (com.personal-harvest.plist) that automatically executes the Python harvesting scripts at regular intervals. - [DATA_EXFILTRATION]: The skill accesses sensitive local application data and manages authenticated session state:
- It programmatically reads the internal SQLite databases of the WeChat Reading application (
~/Library/Containers/com.tencent.WeReadMac/Data/Library/Application Support/WeRead/*.db) to extract private reading history and notes. - It accesses the Kindle
My Clippings.txtfile for local data harvesting. - It utilizes persistent browser contexts to automate authenticated sessions and stores harvested session cookies locally in
~/.personal-harvest/cookies.json. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from multiple external sources which is then structured for use by the agent.
- Ingestion points: Data is fetched from Douban (web), Bilibili (API), Xiaohongshu (web), Douyin (metadata resolver), and local files (Kindle text, WeChat Read SQLite DB).
- Boundary markers: None; the skill does not wrap processed content in delimiters or include instructions to ignore embedded commands.
- Capability inventory: The skill operates using high-privilege
bashandcomputertools. - Sanitization: None; the skill extracts raw text (titles, user notes, summaries) from platform DOM elements and local databases without filtering or validation.
Recommendations
- AI detected serious security threats
Audit Metadata